Explainers & Guides
How useful are certifications when figuring out supply chain security risk?
Supply chain cyber attacks are the number one cyber threat facing organisations today. To harden your supply chain security, however, ensuring that your immediate suppliers have appropriate security postures in place is no longer enough. To secure our supply chains, we need to broaden our approach from third-party risk management to also include fourth-party risks. Unfortunately, as of today, according to UK Government research, only 13% of organisations review their immediate suppliers, and just 7% investigate risks in fourth-parties.
This article will discuss the importance of fourth-party risks, and what your organisation can do to reduce the risks emanating from organisations beyond your immediate suppliers and partners, including from your 4th, 5th and nth parties, and how you can gain greater visibility over your extended supply chain ecosystem to identify these risks. Specifically, in this article you will learn:
Imagine it is 1pm on a Friday and you learn that a widely-used file sharing platform has been breached by threat actors that are actively exploiting a zero-day vulnerability in the software. As a senior cyber security professional at a large financial services firm, responsible for keeping your company’s systems and data safe, your mind switches to response mode.
This seems to be a fast evolving situation, so you better check whether your organisation is using this file transfer software, too. You call procurement and ask them to confirm whether the software provider is among your third-parties, and you also check your own list of supplier organisations that you have run security assurance programmes against, just to make sure.
You breathe a sigh of relief when you find out that, luckily, your organisation is not using the software. So you are safe, you think, at least this time your concerns could quickly be alleviated.
A week later, however, you find out that while your organisation has not used the affected file transfer software itself, one of your suppliers, which handles large volumes of personally identifiable information of your customers for you, has used this software and has had client data exfiltrated by the threat actors. This included data from your firm’s customers. You are shocked, but were unaware of your suppliers’ use of this software. If you had known, you might have been able to alert them in good time of the emerging threat, and ensure they would have responded more swiftly and remediated the problem, and thus kept your customers’ data safe.
What came as an even greater shock was to learn that one of your customers, whose data had been leaked, had filed a class-action complaint against the provider of the file transfer software, but also against your supplier and your own financial institution for negligence.
This scenario, while imaginary, is not too far off from what actually happened to a range of financial services institutions, and from many other industries, during the MOVEit Transfer breach earlier this year. When threat actors exploited a zero-day vulnerability that was discovered in the software, they also exfiltrated large amounts of data handled by a company called PBI Research Services, a leading research service provider used by many financial institutions to determine whether their account holders are still alive, or to find beneficiaries. This research provider had used MOVEit Transfer to process its clients’ customer data. After being notified that their data had been compromised, a range of individuals have since filed a class-action complaint against several financial institutions, against PBI and Progress Software, the company behind the MOVEit Transfer software.
Another example of fourth-party impacts during the MOVEit attack is the case of Zellis, a UK payroll services provider. Only days after Progress Software had published its notice about the discovery of a zero-day vulnerability in its MOVEit Transfer software, it began to emerge that Zellis had confirmed a data breach through their use of the software. Zellis also announced that eight of their clients had been affected as well. The affected parties included the BBC, British Airways, Boots and DHL, among others.
Given the verified threat of unauthorised access to files and opportunities for data exfiltration during cyber attacks, any of your data, or your customers’ data, handled by your direct vendors, but also by subcontractors or third-parties of theirs, i.e. fourth-parties to you, may be at risk of being breached, resulting in the loss of confidential information.
In addition to the risk of data exfiltration, in some attacks, there is also the potential for an attacker to move onward into connected systems for further malicious activities such as additional data harvesting, establishing a persistent presence for the purpose of a future exploitation, or for the deployment of ransomware.
So your suppliers’ suppliers may in fact present the weakest link in your organisation’s supply chain. This is why the fallout from the MOVEit Transfer attack was so huge, reportedly affecting over 2,000 organisations worldwide and exposing the data of over 62 million people.
Risks beyond your immediate third-parties are of course much harder to spot and address. The inability to approach supply chain security much more holistically, and to identify risks beyond third-parties is therefore a fundamental flaw with more traditional Third-Party Risk Management (TPRM) programmes. They just can’t identify risks in the wider supply chain.
Despite this difficulty in identifying potential fourth-party risks, regulators are increasingly demanding just that, increasingly extending the risk management requirements they expect organisations to implement and demonstrate to subcontractors of direct suppliers and other fourth-parties.
Under Article 29 point 2., the EU’s Digital Operational Resilience Act (DORA), for example, states that:
Where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.
The Prudential Regulatory Authority (PRA), meanwhile, asks of its regulated bodies to implement the European Banking Authority’s (EBA) ‘Guidelines on outsourcing arrangements’, which requires regulated entities to put a register in place of their outsourcing arrangements that must also include, “where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored”.
EBA’s Guidelines on outsourcing arrangements also states that entities should demonstrate awareness of “the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider” and of “the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them.”
These are just two examples of regulators’ increasing awareness and emphasis on supply chain risks beyond immediate third-party suppliers.
The biggest challenge organisations face in meeting these regulatory requirements and in responding to supply chain attacks more generally is that they rarely have any visibility beyond their first degree suppliers. It is one thing to be able to investigate internally to see if your own organisation uses a vulnerable software, but it takes a few days (often weeks or months) before your suppliers, or your suppliers’ suppliers have concluded their own investigations and notified downstream customers who may have already been impacted by the incident.
This is exactly what has been seen in the case of the MOVEit Transfer breach. It is highly likely that companies like Boots, the BBC, British Airways, Aer Lingus and other affected Zellis customers were unaware that MOVEit software was used within the system provided by Zellis, and therefore unaware that their data was at risk of compromise.
Gaining visibility over all your critical third-parties is the first step. But do you also have visibility over their third-parties? This is what’s required to fully understand the impact of a supply chain incident.
This is where Risk Ledger can help with its holistic approach to supply chain security. We combine a Third-Party Risk Management platform with a secure social network. Similar to a social network like LinkedIn, each organisation has a profile on Risk Ledger, which contains information about their business, their security controls and other relevant risk areas, including ESG and financial risk. This profile is then shared with their clients and customers. Clients can set requirements against the framework, so they can compare suppliers against criteria which matter most to them, using policies and tags.
Organisations can use Risk Ledger in the capacity as both a supplier and as a client in their own right, meaning they can simultaneously show their security posture to their clients and monitor the security posture of their own suppliers, all on the same platform. This reveals many connections in both directions. Because of these connections, the network can provide a unique visualisation of an organisations’ wider supply chain ecosystems and uncover interdependencies and risks past immediate suppliers, into fourth, fifth, sixth and n-th parties.
This, for the first time, allows for the mapping of an organisation’s wider supply chain ecosystems. It also allows Risk Ledger to map the potential blast radius of supply chain attacks like the recent MOVEit Transfer attack and show organisations how they might come to be affected, as well as the ability to identify concentration risks and potential single points of failure in an organisations’ or even industries’ extended supply chain ecosystems.
During a Cyber Innovation Challenge, led by the City of London and Microsoft, a tier-1 bank used Risk Ledger to uncover potential blindspots, and within 48 hours was able to identify 36 fourth-parties connected to 14 direct suppliers, 175 fifth parties, 15 sixth parties, and 27 seventh parties, as well as, most important of all, 7 potential concentration risks. They used this information to brief the Bank of England to demonstrate what they are doing to increase their awareness of concentration risks and increase their operational resilience.
If you want to learn more about how Risk Ledger can help your organisation visualise your supply chain risks and allow you to take action to mitigate them, get in touch with our experts today. We look forward to hearing from you.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
